Conference PaperPDF Available

A comparative safety assessment for Direct Current and Direct Current with hybrid supply power systems in a windfarm Service Operation Vessel using System- Theoretic Process Analysis


Abstract and Figures

As windfarms are moving further offshore, their maintenance has to be supported by the new generation Service Operation Vessels (SOV) with Dynamic Positioning capabilities. For the SOV safe operations it is crucial that any hazardous scenario is properly controlled. Whilst international regulations require the implementation of Failure Modes and Effects Analysis (FMEA) for SOV power systems, FMEA has been criticised for not addressing properly failures in control systems. In this study, System-Theoretic Process Analysis (STPA) is employed for identifying the hazardous scenarios in terms of Unsafe Control Actions (UCAs) in Direct Current (DC) and DC with batteries power systems. Then the identified UCAs are ranked based on their risk. The results demonstrate that the number of hazardous scenarios derived by the STPA increases in a power system with batteries in comparison to a conventional DC power system, thus depicting higher complexity of this system. However, the increase in overall risk is small and within acceptable limits, whilst the risk reduces for a number of UCAs leading to Diesel Generator overload sub-hazard.
Content may be subject to copyright.
7th European STAMP Workshop & Conference
18 - 20 September 2019, Helsinki
A comparative safety assessment for Direct Current and
Direct Current with hybrid supply power systems in a
windfarm Service Operation Vessel using System-
Theoretic Process Analysis
Victor Bolbot1*, Romanas Puisa1, Gerasimos Theotokatos1, Evangelos Boulougouris1
and Dracos Vassalos1
1 Maritime Safety Research Centre, University of Strathclyde, UK
As windfarms are moving further offshore, their maintenance has to be supported by the new
generation Service Operation Vessels (SOV) with Dynamic Positioning capabilities. For the SOV
safe operations it is crucial that any hazardous scenario is properly controlled. Whilst international
regulations require the implementation of Failure Modes and Effects Analysis (FMEA) for SOV power
systems, FMEA has been criticised for not addressing properly failures in control systems. In this
study, System-Theoretic Process Analysis (STPA) is employed for identifying the hazardous
scenarios in terms of Unsafe Control Actions (UCAs) in Direct Current (DC) and DC with batteries
power systems. Then the identified UCAs are ranked based on their risk. The results demonstrate
that the number of hazardous scenarios derived by the STPA increases in a power system with
batteries in comparison to a conventional DC power system, thus depicting higher complexity of this
system. However, the increase in overall risk is small and within acceptable limits, whilst the risk
reduces for a number of UCAs leading to Diesel Generator overload sub-hazard.
Keywords: Windfarm Service Operation Vessels, Safety, Blackouts, Diesel-Electric Propulsion,
Hybrid Diesel-Electric Propulsion
Offshore wind-faming is becoming a major source of the renewable energy in many countries.
However, the offshore wind farms maintenance cost currently impacts on the competitiveness of the
electricity produced. Present safety requirements and needs of the service personnel influence wind
farm locations and operational flexibility. Consequently, future Service Operation Vessels (SOVs)
need to be more efficient and safer in order to meet future demands. Next generation support vessels
providing safe and more efficient offshore wind farm servicing (the EU-funded NEXUS project) is
aiming to deliver an advanced SOV design optimised for efficiency, performance, safety, and
working environment whilst minimising costs throughout the life-cycle by 20% compared to the
current state of the art vessels (EC, 2019). As wind farms are moving further from the coast,
significant innovations in the SOV design are required. This, together with stringer emission
regulations and fluidity in the fuel market prices, render attractive the use of alternative fuels and
power generation systems, including hybrid power supply, where diesel-generators and batteries
are used to cover ship energy needs.
The incorporation of batteries achieves fuel consumption reduction by running Diesel
Generator (D/G) sets at optimum load by peak load shaving and functioning as a spinning reserve
* Corresponding author: tel. +447706578021 email:
(Brandsaeter, Valoen, Mollestad, & Haugom, 2015; Geertsma, Negenborn, Visser, & Hopman, 2017;
Räsänen, 2017). Implementation of batteries support the D/G sets downsizing, which results in the
D/G sets operation at their most efficient load ranges (Brandsaeter et al., 2015). Other advantages
include higher redundancy in the system and lower emissions due to the batteries charging from the
local grid in harbour (Brandsaeter et al., 2015; Geertsma et al., 2017). On the SOV, due to the
Dynamic Positioning (DP) power requirements, the D/G sets are often oversized or pushed to
operate at lower loads to be able to withstand a sudden loss of a D/G set in adverse weather
conditions. Therefore, incorporation of batteries to provide the necessary spinning reserve during
faulty conditions or power during power peaks on SOV can provide substantial benefits in terms of
fuel savings during DP and other operations. Batteries disadvantages include relatively high
procurement cost (Brandsaeter et al., 2015; Geertsma et al., 2017), large batteries size and weight
(Räsänen, 2017), limited number of recharging cycles (Räsänen, 2017) and addition of new
hazardous scenarios to the system (Bolbot, Theotokatos, Boulougouris, & Vassalos, 2019;
Brandsaeter et al., 2015).
On the next generation SOV, with increased technicians and crew numbers, ensuring safety
of power generation system is paramount as any malfunctions such as blackout or brownout may
lead to contact/collision/grounding. These accidents in turn can result in ships progressive flooding
and capsize with crew and technicians getting drown (Vassalos et al., 2019). In addition, the
introduction of batteries increases hazardous scenarios number resulting in fire, explosion and crew
intoxication (Brandsaeter et al., 2015), e.g., a fire on hybrid-electric tugboat occurred due to
malfunction of Battery Management System (Hill, Agarwal, & Gully, 2015), whilst a number of similar
incidences have been reported in other industries (Hill et al., 2015). In this respect, it is crucial to
ensure that all these scenarios are identified and properly addressed during the system design.
The primary reference for designing safe power generation systems is the IMO regulations
(Organization, 2014) and classification society rules (DNVGL, 2015). Currently, the main hazard
identification method in the DP systems is the Failure Mode and Effect Analysis (FMEA), which is
applied to ensure adequate system components redundancy (DNVGL, 2015; IMCA, 2015). In
previous studies, a high-level FMEA has been used for comparative safety analysis of different
propulsion systems, including power system with batteries in other ships, for example a Ferry boat
in (Jeong, Oguz, Wang, & Zhou, 2018). However, FMEA has been criticised for not addressing
properly the automation functions in the system (Bolbot, Theotokatos, Bujorianu, Boulougouris, &
Vassalos, 2019; Rokseth, Utne, & Vinnem, 2017; Sulaman, Beer, Felderer, & Höst, 2017; Thomas,
2013). On the other hand, control and automation functions have an important role for power
generation on DP vessels (United Kingdom Protection & Indemnity Club, 2015). Considering this,
System-Theoretic Process Analysis (STPA) has been proposed to be used to address the
complexity in interactions between the control systems and physical processes (N. G. Leveson,
2011). In (Bolbot, Theotokatos, Boulougouris, et al., 2019) the safety of hybrid-electric propulsion
system and classical propulsion system using Alternate Current for electrical power distribution has
been compared using STPA on a cruise ship vessel. Other studies have referred to potential safety
issues on ship power systems with batteries but they did not follow a hazard identification method
for their analysis (Hill et al., 2015).
Pertinent literature reveals a number of research gaps: (a) hazard analysis of power systems
with Direct Current (DC) power network and DC power with batteries system on SOV using STPA
and (b) incorporation of risk as a measure in STPA to compare different designs. The research gap
leads to the aim of this study, which is to analyse the safety of power systems on SOV with batteries
using STPA and to compare it with standard DC power systems in terms of risk.
This paper is organised as follows: in section two, the methodology steps are presented; in
section three, a short description of the analysed system is provided; in section four, the analysis
results and safety recommendations are given; finally, in section five, the main findings of this study
are summarised.
As it has been referred in the introduction, STPA has been selected in this study to identify the
hazardous scenarios. However STPA has been criticised for not allowing risk estimation and
criticality analysis (Dawson et al., 2015); for this reason the STPA method has been enhanced. The
method steps are presented in Figure 1 and described in more detail below.
STPA defines the accident as: “an undesired and unplanned event that results in loss,
including loss of human life or human injury, property damage, environmental pollution, mission loss,
financial loss, etc.” (Leveson & Thomas, 2018). The hazards in the STPA framework are understood
as: “system states or set of conditions that together with a worst-case set of environmental
conditions, will lead to an accident” (Leveson & Thomas, 2018). The hazards in STPA are viewed
on a system level, so they go beyond the single failures that may occur in the system and should be
referred to a specific state of the system. Sub-hazards are considered states in a worst-case
scenario leading to hazard realisation. Generic requirements can be specified, based on the hazards
and sub hazards.
The development of a functional control structure is one of the differentiating points of the
STPA analysis, compared with the other methods (Leveson & Thomas, 2018). Usually, it starts with
a high-level abstraction of the system and proceeds to a more detailed system description. The initial
control structure consists of the high-level controller, the human operator and the controlled process
with the basic control, feedback and communication links. A more detailed description would
incorporate a hierarchy of controllers. Both high-level and detailed control structure can be used for
the safety analysis at different system design stages. After the development of the basic control
structure, the next step is its refinement. The required actions include a) the identification of each
controller responsibilities; b) the process model with process variables and potential process variable
values; c) the control actions; d) the behaviour of the actuators; e) the information from the sensors;
f) the information from the other controllers.
The actual hazards identification starts by finding the Unsafe Control Actions (UCAs). The
possible ways to proceed are either by using the control actions types as initially proposed for the
STPA (N. Leveson, 2011) or by using the context tables as proposed in Thomas (2013). Herein, the
second of the two approaches has been selected. According to both approaches, the possible UCAs
can be of the following seven types (Leveson & Thomas, 2018):
Not providing the action leads to a hazard.
Providing of a UCA that leads to a hazard.
Providing the control action too late.
Figure 1 STPA steps.
Providing the control action too early.
Providing the control action out of sequence.
Control action is stopped too soon
Control action is applied for too long.
According to the STPA, there is also another type of UCA, when the safe control action is
provided but is not followed. This type of failure mode is addressed during the identification of causal
factors in the second step of the method. Similarly, with the system hazards, safety constraints can
be derived for the UCAs, aiding the identification of possible safety barriers.
The second step in the hazard identification of the STPA has the purpose of determining all
the scenarios and causal factors leading to the UCAs. This is done by examining the hazardous
scenarios, including software and physical failures as well as design errors. There are several ways
to organise the results of the hazardous scenarios by using tables or lists. In this work, the process
was augmented by a checklist, developed on the basis of previous studies (Becker & Van Eikema
Hommes, 2014; Blandine, 2013). The main categories of causal factors are:
Inappropriate control input
Hardware failure
Software faulty implementation
Software faulty design
Erroneous or missing input
Inadequate control command transmission
Flawed execution due to failures in actuator or physical process
Conflicting control actions
The systemic and contributory causal factors (Puisa, Lin, Bolbot, & Vassalos, 2018) have not
been considered during identification of the causal factors, as the implementations of proper training
for system operator and maintenance is out of the scope of system designer. The aim of the designer
is to ensure the adequate reliability and availability of system functions. Therefore, the aim of the
analysis is to rank the different hazardous scenarios identified by the STPA to allow better allocation
of resources to specific controllers; hence the different scenarios (UCAs) risk is estimated.
The new part of the STPA in the presented methodology is the risk estimation for the identified
UCAs. The basic assumption behind the estimation is that UCA can be considered as the central
undesired event in the system, thus being in the centre of the Bow Tie as depicted in Figure 2. Then
the total risk can be estimated as aggregation of individual UCAs risks. In a similar way with Level
of Protection Analysis method (BSI, 2004), the risk of an UCA is considered dependent on its causal
factors, the effectiveness of mitigation barriers, and coincidence with inadvertent environmental
factors. If the causal factors likelihood, the accident severity, the mitigation barriers/measures
effectiveness and relevant inadvertent environmental factors are quantified, the risk for each UCA
can be estimated.
For the analysis presented in the methodology herein, with the exception of the above, the
following additional assumptions have been made:
The UCAs causal factors are independent (Blandine, 2013) as the systemic and contributory
factors (Puisa et al., 2018) are omitted as the focus is on the system design.
If UCA leads to more than two hazards, then paths with the smaller risk can be ignored.
Similarly, if multiple causal factors result in UCAs, the causal factors with smaller likelihood can
be ignored for estimations.
The overall risk can be aggregated and calculated for the system based on individual UCAs risk.
Each mitigation barrier can mitigate the 90% of relevant hazardous conditions. This is rather a
conservative assumption with regard to effectiveness of mitigation barriers (BSI, 2004).
The UCA causal factors frequency and the UCA context factors frequency are independent from
each other.
The UCA causal factors frequency is estimated by considering it together with the relevant UCAs
preventative barriers effectiveness.
Accidents are considered as disjoint and independent.
If UCAs are caused by other UCAs (they are practically their causal factors), then these causal
UCAs are omitted for estimation of risk for UCAs. Instead, these causal UCAs are considered to
contribute to risk independently from other UCAs.
Causal factors resulting in multiple UCAs occurring are repeated for each UCA risk estimation,
as this assumption has no influence on estimation of the total risk.
The Potential Loss of Life () is one of the expressions of Societal Risk (International
Maritime Organisation, 2013) and is defined as expected value of the number of fatalities per year
(International Maritime Organisation, 2013; Vinnem, 2014):
 = ∑ ∑  (1)
Where  is the annual frequency of accidental scenario (event tree terminal event) with
personal consequences and  is expected number of fatalities in each accidental scenario (event
tree terminal event) with personal consequences .
The  is connected to the Individual Risk (IR) according to the following equation (Johansen
& Rausand, 2012), where N is the number of people in population exposed to risk:
 =   (2)
Based on the assumptions above, the  can be approximated as sum of risk of individual
UCAs as follows:
 =
Now the risk for each UCA using frequency of accidental scenario and consequence
of accidental scenario expressed in fatalities per year is estimated as follows:
Figure 2 The simplified Bow Tie
=  ×  [fatalities per ship-year] (4)
The frequency of each accidental scenario is estimated using UCA frequency ,
effectiveness of mitigation controls and probability of inadvertent environmental context as in
eq. (5) and the severity of each accidental scenario is estimated as in eq.(6):
= ×  ×  =  × 10 × 10 [events per ship-year] (5)
= 10 [fatalities per events] (6)
The ranking for effectiveness of mitigation measures is implemented according to Table 1.
For the ranking of available mitigating barriers, different mitigating barriers type are considered
namely a) the presence of redundant component implementing the same function with the faulty
one, b) available safety or reconfiguration functions c) humans operators rectification actions. The
ranking of inadvertent environmental factors () is implemented as in Table 3. The Severity Index
for accident () is selected according to Table 2 retrieved from Formal Safety Assessment
Guidelines (International Maritime Organisation, 2013).
The UCA is described by referring to the controller, the control action, the control action failure
type, the context and the link to the hazard (Leveson & Thomas, 2018). Practically though, an UCA
will occur if specific control action failure mode is realised in specific context. In case of a Fault Tree
this relationship would be represented using AND gate, hence multiplication between frequency of
control action failure mode and probability of specific context is required. However, the control action
failure mode can be attributed to the specific causal factors, identified previously, which can be
connected using OR gate to the UCA (Blandine, 2013). Wrong execution practically refers to one of
the UCAs types (Leveson & Thomas, 2018) and has been already included in identification of causal
factors. Therefore, the UCAs frequency () is estimated as in eq.(7) using frequency of causal
factors leading to relevant control action failure mode, the number of controllers in system,
which can implement the specific UCA and the probability of the UCA context:
 =  × × 10 [events per ship-year] (7)
The  is ranked using Table 4, retrieved from Formal Safety Assessment Guidelines
(International Maritime Organisation, 2013) and is estimated as in eq.(8), whilst  ranking used
for estimating the probability of UCA context is based on Table 5.
 = 10 [events per ship-year] (8)
Table 1 Ranking for availability of UCAs mitigation measures
Ranking (
) Definition Unavailability of mitigation
6 No controls provided 10
5 Some mitigation controls availability
(One control barrier)
4 Adequate mitigation controls availability
(Two control barriers)
3 Rare mitigation controls unavailability
(Three control barriers)
2 Remote mitigations controls unavailability
(Four control barriers)
1 Extremely remote mitigations controls unavailability
(Five control barriers and above)
Table 2 Ranking for severity of UCAs hazards/accidents (International Maritime
Organisation, 2013).
Definition Effects on human
Effects on
Oil spillage Equivalent
4 Catastrophic Multiple fatalities Total loss Oil spill size between
< 100 - 1000 tonnes
3 Severe Single fatality or
multiple severe
Oil spill size between
< 10 - 100 tonnes
2 Significant Multiple or severe
ship damage
Oil spill size between
< 1 - 10 tonnes
1 Minor Single or minor
Oil spill size < 1
Table 3 Ranking for inadvertent environmental factors.
Ranking (
) Definition Probability of inadvertent
environmental factors
3 Uncontrolled UCA will always lead to accident 10
2 Uncontrolled UCA will sometimes lead to accident 10
1 Uncontrolled UCA will rarely lead to accident 10
Table 4 Ranking for causal factors frequency (International Maritime Organisation, 2013).
Definition F
(per ship
(per ship
7 Likely to occur once per month on one ship
10 1.14 10
5 Likely to occur once per year in a fleet of 10 ships, i.e. likely to
occur a few times during the ship's life
1.14 10
3 Likely to occur once per year in a fleet of 1,000 ships, i.e. likely
to occur in the total life of several similar ships
1.14 10
1 Likely to occur once in the lifetime (20 years) of a world fleet
of 5,000 ships
1.14 10
Table 5 Probability of UCA context.
Ranking (
) Definition Probability of inadvertent
environmental factors
4 Always 10
3 Sometimes 10
2 Rarely 10
1 Remotely 10
The initial power system and hybrid-electric power system single line diagram are presented
in Figure 4 whilst the functional control structure for both systems is given in Figure 3. Two
switchboards and engine rooms are required to comply with the DP requirements. The power
network is of the Direct Current type. Power Management System (PMS) starts/stops the engines
based on the ship consumers electric load demand. Switchover between the plant Diesel Generators
(D/G) is implemented based on the D/G sets running hours. The PMS can implement a fast-electrical
load reduction for the propulsion motors and bow thrusters as well as preferential tripping functions
(fast load reduction) by tripping electrical consumers. The D/G sets can operate in the variable speed
mode and their power output is regulated by speed governor (ECU 7) and Automatic Voltage
Regulator (AVR) whilst delivered power to network through converters is controlled by the Generator
Control Unit (GCU). A number of other smaller functions are supported by EIM and EMU units on
the D/G sets. Power transferred between sections is controlled by Bus Tie Unit (BTU). Several safety
systems are used to trip the D/G sets and the propulsion motors if a fault had been observed.
In the investigated hybrid-electric power system, in addition to the initial system components,
one battery pack per switchboard is installed. The battery output and condition are controlled by a
dedicated Battery Management System (BMS), which monitors the actual battery health state, the
battery and cell capacity and controls the battery cells charge status, the discharging/charging rate,
the power output and the battery auxiliary systems. The BMS communicates with PMS to determine
the actual power status and power demand implementing in this way the Energy Management
System functions. The BMS also communicates with fire-fighting systems to ensure the firefighting
Figure 4 Power network layout diagram
Figure 3 Power network control structure
actions operation. Battery capacity is considered adequate to cover the whole ship power demand
for a limited period. The considered battery is of Li-Ion type.
The following has been assummed with respect to the systems operation:
The power system control network is isolated from other networks, so no hazardous scenarios
are developed in the system because of cyber-attacks.
The human operator does not introduce new hazards, only mitigates them.
Power plant operates with the bus-tie circuit breaker disconnected.
Power can be transferred from switchboard to a switchboard using converters at Bow thruster
motor 3.
With respect to the case study it has assumed that the  for each UCA is either 2 (Significant)
or 3 (Severe). In addition the number of people on the ship, including crew and technicians has been
estimated as 60.
Based on previous Formal Safety Assessment studies, the following causality scenarios can
be considered as accidents (IMO, 2008):
Collision [A-1]
Contact [A-2]
Grounding [A-3]
Fire [A-4]
Explosion [A-5]
Machinery damage [A-6]
Foundering [A-7]
Operating personnel injury or death [A-8]
These accidents are not fully disjoint, as a fire can lead to collision and vice versa (Hamann,
Papanikolaou, Eliopoulou, & Golyshev, 2013). In addition, numerous hazards can be connected to
the accidents on a cruise ship and there can be interactions between different hazards. Herein, the
most important and those related to the system under analysis are referred (Bolbot, Theotokatos, &
Vassalos, 2018; IMO, 2008):
Propulsion loss [H-1] leading to collision, contact and grounding accidents. The propulsion loss
can be further developed into the following sub-hazards:
o D/G sets overload [H-1-1].
o Transients [H-1-2].
o Imbalanced power generation [H-1-3]
o D/G sets unavailability [H-1-4]
o Batteries unavailability [H-1-5]
o Propulsion motors unavailability [H-1-6]
Conditions contributing to fire in the engine room [H-2].
Uncontrolled electrical faults in equipment leading to [H-3] fire and explosions in system
components or blackout (propulsion loss).
Toxic/flammable atmosphere in battery room leading to crew intoxication and/or fire [H-4].
Anomalous conditions in batteries leading to fire and its expansion [H-5].
Arson – deliberate act resulting in fire [H-6].
Human erroneous operation [H-7]
Cyber-attack leading to any of previous hazards [H-8].
Water ingress [H-9]
Although, it is acknowledged that there is contribution from hazards [H-6]-[H-9] to the overall
system risk, these hazards can be considered as external to the system presented in Figure 4 and
Figure 3 and thus their analysis has been omitted. The interconnection between hazards and
accidents is schematically shown in Figure 5.
The developed control structure has been already provided in Figure 3. The difference
between the two power systems can be found in the presence of Battery Management System and
additional interactions between the fire-fighting system and the power system. The description of
responsibilities of each controller and their control actions, although necessary and used for the
analysis, have been omitted for brevity and confidentiality purposes.
The results of applying STPA and risk analysis and comparing the different results are
presented in Table 7, Table 8, Figure 6 and Figure 7. A guiding example of application of the method
is provided in Table 6. As it can be observed from Table 7, the number of the UCAs and the
associated causal factors is significantly higher in the system with batteries. This is owed to the
increased number of interactions between the control systems and the physical processes in a power
system with batteries. However, the estimated risk is only slightly higher in the power system with
batteries. The estimated individual risk for different Severity Indexes is smaller than negligible 10-6
and in every case smaller than the maximum tolerable risk for the crew 10-3 and maximum tolerable
risk for passengers 10-4 (International Maritime Organisation, 2013). So it can be considered as
acceptable. However, it should be noted that the estimated risk includes only failures in control
systems, whilst some scenarios that could be potentially identified with FMEA have not been
addressed. Consequently, the estimated risk would be greater, if FMEA related accidental scenarios
have been incorporated. It should be also noted, that there is a specific subjectivity in the analysis,
as a) uncertainty in the estimated frequencies and probabilities has not been incorporated and b)
there are numerical approximations in calculations due to the use of tables with rankings.
Consequently, the estimated risk must be taken with precaution. The subjectivity that exists in the
risk assessments is one of its major weaknesses (Aven, 2016; Goerlandt, Khakzad, & Reniers,
2016). Last, but not least the risk is estimated for a system and not the whole vessel, so it can be
used for comparison with acceptable values with precaution; it can be used though for comparison
of different systems and scenarios.
As it can be observed from the Table 8, the incorporation of batteries reduces the risk in all the
controllers but BMS. In addition, from the Figure 6, it can be observed that the contribution of the
D/G sets overload [H-1-1] sub-hazard to risk is smaller in the system with batteries than in the initial
system design. This can be attributed to the fact that batteries act as an additional barrier to the
overload sub-hazard. However, despite this, the total fire risk (including H-2 and H-5 hazards) as
can be observed is significantly higher in the system with batteries, as the batteries themselves are
a new potential source of fire.
Comparing Figure 6 with Figure 7, it can be observed that the relative contribution to the total
risk of the UCAs related to [H-1-1] sub-hazard (48%) is double of the relative contribution of the
UCAs number associated with [H-1-1] sub-hazard to the total (24% in the initial design). Similarly,
the number of the UCAs contributing to H-1-4 sub-hazard is 34% of the total contribution number,
yet their risk is only 11% of the total. This is due to the abundancy of barriers tackling the problem
of the D/G sets unavailability (sub-hazard [H-1-4]), compared to the other hazards, such as
redundancy in available D/G sets, whilst D/G set overload condition (sub-hazard [H-1-1]) can lead
to a hazardous condition if few barriers are faulty. Therefore, the scenario number can be considered
as inappropriate metric for safety comparison of different systems.
7th European STAMP Workshop & Conference
18 - 20 September 2019, Helsinki
Table 6 Example of application of the method.
Controller Controlee
mode Context Assumption
d /Sub
hazard Accident
factors m
control DG sets
t energy
status is
HIGH and
status is
Loss of power
generation for
several D/G
y H-1-1
e rules
A) Engine
room crew
provision of
fuel to the D/G
B) Propulsion
motors power
A) Other
vessels in
B) Inadequate
n between
vessels crew
C) Bad
conditions 4 3 4 3 1 3
Figure 5 Interconnection between hazards and accidents.
Some critical UCAs are provided in Table 7. As it can be observed, failures in the power
reduction functions applied during hazardous conditions are considered as the most critical in both
systems, as they constitute the last safety barrier before blackout in the systems. Another critical
failure is the faulty tripping of the D/G sets by the firefighting system in an engine room, as in this
case more than one D/G set can be disconnected from the network, leading to D/G sets overload
conditions. In a power system with batteries, the batteries failures management is also considered
as critical, as it can lead to fire with a reduced mitigation measures number. Hence, proper design
and testing of these functions shall be ensured in the power system.
Table 7 Comparison between initial and system with batteries.
STPA results Initial design Batteries included
UCA number 215 300 (+40%)
Causal factors
2247 3228 (+43%)
Estimated risk PLL
6.19 10
(SI=2) –
6.19 10
(SI=3) 7.17 10
(SI=2) –
7.17 10
(SI=3) (+16%)
Estimated risk
1.03 10
(SI=2) –
1.03 10
(SI=3) 1.20 10
(SI=2) – 1.20 10
Sample of most
critical UCAs
- Firefighting system falsely
activates quick closing fuel valve
- Power Management System
(PMS) disconnects consumers
necessary for power generation
functions, during overload
- PMS falsely reduces the
propulsion motors and bow
thrusters speed (and hence load)
- PMS trying to disconnect the
already disconnected heavy
consumers, hence not allowing
the implementation of power
reduction function on propulsion
motors and thrusters.
- PMS failing to reduce thrusters
- Battery management system not
disconnecting the batteries from the
network during electrical fault
- Battery management system not
increasing the cooling during electrical
fault conditions.
- Firefighting system falsely activates
quick closing fuel valve
- PMS falsely reduces the propulsion
motors and the bow thrusters speed (and
hence load)
- PMS trying to disconnect the
already disconnected heavy consumers,
hence not allowing the implementation of
power reduction function on propulsion
motors and the thrusters.
Table 8 Distribution of risks for initial and system with batteries.
Controller Initial PLL Hybrid PLL
AVR 4.80E-07 4.80E-07
BMS 0.00E+00 1.90E-06
Bus-tie controller 1.10E-07 1.10E-07
ECU 7 controller 4.53E-07 3.41E-07
EIM controller 3.57E-07 1.30E-07
Firefighting controller 1.08E-06 1.08E-06
GCU 1.08E-06 9.67E-07
PMS 2.62E-06 2.15E-06
Sea Water Cooling Pump controller 1.60E-08 1.42E-08
Thermostat 1.60E-09 1.42E-09
Total 6.19E-06 7.17E-06
As it can be observed from the results, the method allowed a rough estimation of the risk
metrics for different hazardous scenarios, the overall risk for the system and comparison of risk for
different systems. It was also possible to estimate the risk for different hazards and controllers.
Furthermore, the most critical controllers and scenarios in each system were highlighted. However
the estimated risk was not for the whole ship but for a specific system which complicated the
comparison with IMO acceptable values. In additions for the system risk estimation, some failure
driven scenarios have not been included. Further guidance on how to estimate the UCA
consequences and inadvertent environmental factors probability would be also beneficial for this
approach. Last, but not least there are several numerical approximations in the methods.
1% H-4
0% H-5
Figure 6 Distribution of estimated risk per hazards a) for initial power system b) for power
system with batteries.
a) b)
21% H-1-2
2% H-4
Figure 7 Distribution of identified UCAs per hazard a) for the initial system b) for the system
with batteries.
a) b)
In this study, a new approach for estimating risk metrics in a system based on the STPA has
been presented. The proposed approach was applied for comparison of Direct Current power system
with Direct Current power system with batteries on an SOV vessel.
The main findings of this study can be summarised as follows:
The new method allowed risk metrics estimation and comparison for different systems as well as
ranking of different scenarios.
The estimated risk for the failures in control systems, for both systems, is in tolerable regions,
according to criteria set by the method.
The risk, in the power system with batteries may slightly increase due to the increase in the
number of scenarios leading to fire
The risk due to D/G sets overload reduces in system with batteries as batteries act as an
additional barrier to the propulsion loss hazard.
Comparing the number of hazardous scenarios for two systems can lead to wrong conclusions.
Still the hazardous scenarios number can be used for comparison of systems complexity.
The new approach can be used as basis for development of a method for safety comparison
between cyber-physical systems.
Whilst the applied methodology was useful for identifying the critical UCAs and comparing risk
metrics failures for different systems, still it can be considered as a premature. The methodology
could be enhanced by incorporating uncertainty analysis or by integrating it with other methods. The
approach could also be enhanced by incorporating multiple experts ranking. However, all these
constitute suggestions for future research.
The work described in this paper was produced in research project NEXUS. The project has
received funding from the European Union's Horizon 2020 research and innovation programme
under agreement No 774519. Kongsberg Maritime CM AS is kindly acknowledged for provision of
the relevant system information. The authors greatly acknowledge the funding from DNV GL AS and
RCCL for the MSRC establishment and operation. The opinions expressed herein are those of the
authors and should not be construed to reflect the views of EU, DNV GL AS and RCCL.
Aven, T. (2016). Risk assessment and risk management: Review of recent advances on their
foundation. European Journal of Operational Research, 253(1), 1-13. Retrieved from
Becker, C., & Van Eikema Hommes, Q. (2014). Transportation systems safety hazard analysis tool
(SafetyHAT) user guide (version 1.0). Retrieved from
Blandine, A. (2013). System theoretic hazard analysis applied to the risk review of complex
systems: an example from the medical device industry. (Doctor of Philosophy),
Massachusetts Institute of Technology, Cambridge, MA, USA Retrieved from (849655099)
Bolbot, V., Theotokatos, G., Boulougouris, E., & Vassalos, D. (2019). Comparison of diesel-
electric with hybrid-electric propulsion system safety using System-Theoretic Process
Analysis. Paper presented at the Propulsion and Power Alternatives, London, United
Bolbot, V., Theotokatos, G., Bujorianu, L. M., Boulougouris, E., & Vassalos, D. (2019).
Vulnerabilities and safety assurance methods in Cyber-Physical Systems: A comprehensive
review. Reliability Engineering & System Safety, 182, 179-193. Retrieved from
Bolbot, V., Theotokatos, G., & Vassalos, D. (2018). Using system-theoretic process analysis and
event tree analysis for creation of a fault tree of blackout in the Diesel-Electric Propulsion
system of a cruise ship. Paper presented at the International Marine Design Conference XIII,
Helsinki, Finland.
Brandsaeter, A., Valoen, L. O., Mollestad, E., & Haugom, G. P. (2015). In focus – the future is
hybrid. DNV GL. Retrieved from
BSI. (2004). Functional safety - Safety instrumented systems for the process industry sector. In Part
3: Guidance for determination of the required safety integrity levels (Vol. IEC-61511).
Dawson, L. A., Muna, A. B., Wheeler, T. A., Turner, P. L., Wyss, G. D., & Gibson, M. E. (2015).
Assessment of the Utility and Efficacy of Hazard Analysis Methods for the Prioritization of
Critical Digital Assets for Nuclear Power Cyber Security. Retrieved from
DNVGL. (2015). Dynamic positioning vessel design philosophy guidelines. Recommended practice
(DNVGL-RP-E306). In.
EC. (2019). NEXUS - Towards Game-changer Service Operation Vessels for Offshore Windfarms.
Retrieved from
Geertsma, R. D., Negenborn, R. R., Visser, K., & Hopman, J. J. (2017). Design and control of
hybrid power and propulsion systems for smart ships: A review of developments. Applied
Energy, 194, 30-54. Retrieved from
Goerlandt, F., Khakzad, N., & Reniers, G. (2016). Validity and validation of safety-related
quantitative risk analysis: A review. Safety Science, 99(November), 127-139. Retrieved
Hamann, R., Papanikolaou, A., Eliopoulou, E., & Golyshev, P. (2013). Assessment of safety
performance of container ships. Proceedings of the IDFS, 18-26.
Hill, D. M., Agarwal, A., & Gully, B. (2015). A review of engineering and safety considerations for
hybrid power (Lithium-Ion) systems in offshore applications. Oil and Gas facilities, June
2015, 68-77.
IMCA. (2015). International Guidelines for The Safe Operation of Dynamically Positioned
Offshore Supply Vessels (182 MSF Rev. 2). In.
IMO. (2008). Formal Safety Assessment - Cruise ships. Retrieved from
International Maritime Organisation. (2013). Revised guidelines for formal safety assessment (FSA)
for use in the IMO rule-making process. London Retrieved from
Jeong, B., Oguz, E., Wang, H., & Zhou, P. (2018). Multi-criteria decision-making for marine
propulsion: Hybrid, diesel electric and diesel mechanical systems from cost-environment-
risk perspectives. Applied Energy, 230, 1065-1081. Retrieved from
Johansen, I., & Rausand, M. (2012). Risk metrics: Interpretation and choice. Paper presented at the
Industrial Engineering and Engineering Management (IEEM), 2012 IEEE International
Conference on.
Leveson, N. (2011). Engineering a safer world: Systems thinking applied to safety: MIT press.
Leveson, N., & Thomas, J. (2018). STPA Handbook. In.
Leveson, N. G. (2011). Engineering a safer world: Systems thinking applied to safety. London,
England: The MIT press.
Organization, I. M. (2014). SOLAS: consolidated text of the International Convention of Safety of
Life at Sea, 1974, as amended (6th consolidated edition ed.): International Maritime
Puisa, R., Lin, L., Bolbot, V., & Vassalos, D. (2018). Unravelling causal factors of maritime
incidents and accidents. Safety Science, 110, 124-141. Retrieved from
Räsänen, J.-E. (2017). Current and future scale limitation for alternative marine power and
propulsion solutions. Paper presented at the Power & Propulsion Alternatives for Ships,
Rotterdam, Netherlands.
Rokseth, B., Utne, I. B., & Vinnem, J. E. (2017). A systems approach to risk analysis of maritime
operations. Proceedings of the Institution of Mechanical Engineers, Part O: Journal of Risk
and Reliability, 231(1), 53-68. Retrieved from
Sulaman, S. M., Beer, A., Felderer, M., & Höst, M. (2017). Comparison of the FMEA and STPA
safety analysis methods–a case study. Software Quality Journal, 1-39.
Thomas, J. (2013). Extending and automating a systems-theoretic hazard analysis for requirements
generation and analysis. Massachusetts Institute of Technology,
United Kingdom Protection & Indemnity Club. (2015). Risk Focus: Loss of power. Retrieved from
Vassalos, D., Atzampos, G., Paterson, D., Cichowicz, J., Bertheussen Karolius, K., Boulougouris,
E., & Konovessis, D. (2019). Intact stability of passenger ships: safety issue or design
concern? Neither!
Vinnem, J.-E. (2014). Offshore Risk Assessment vol 1: Springer.
AVR Automatic Voltage Regulator
BMS Battery Management System
BTU Bus Tie Unit
D/G Diesel Generator
DC Direct Current
FMEA Failure Modes and Effects Analysis
IMO International Maritime Organisation
SOV Service Operation Vessels
STPA System-Theoretic Process Analysis
PMS Power Management System
PLL Potential Loss of Life
UCA Unsafe Control Actions
... The interactions between these systems were included in the presented analysis, however PMS hierarchy and other systems were analysed in a separate study also presented in this conference (V. Bolbot et al., 2019). ...
... The interactions between these systems were included in the presented analysis, however PMS hierarchy and other systems were analysed in a separate study also presented in this conference (V. Bolbot et al., 2019). ...
Conference Paper
Full-text available
The adage "prevention is better than cure" is at the heart of safety principles. However, effective accident prevention is challenging in complex, highly automated systems such as modern DP-driven vessels, which are supposed to safely transfer technicians in often unfavourable environmental conditions. FMEA analysis, which is required for DP-driven vessels, is helpful to build-in a necessary level of redundancy and thereby mitigate consequences of failures, but not particularly helpful to inform preventive measures, not least against functional glitches in controlling software. In this paper we develop a set of functional safety requirements which are aimed at prevention of causal factors behind drift-off, drive-off and other hazardous scenarios. For this purpose, we use a systemic hazard analysis by STPA, which delivers both failure and interaction-based (reliable-but-unsafe) scenarios. The functional requirements cover both design and operational (human element related) requirements, which are then ranked based on our proposed heuristic. The ranking is not predicated on statistics or expert option but instead it is proportional to the number of hazardous scenarios a requirement protects against, hence indicating the relative importance of the requirement. The paper also summarises the suggested areas of safety improvement for DP-driven vessels.
Aalto University hosted the 2nd edition of the International Seminar on Safety and Security of Autonomous Vessels (ISSAV) together with the 7th edition of the European STAMP Workshop and Conference (ESWC). ISSAV promotes all aspects of maritime safety and security in the context of autonomous vessels. The seminar focuses on exchanging knowledge about key safety and security challenges and opportunities in the context of autonomous vessels and the autonomous maritime ecosystem. The ESWC focuses on applications and studies related to the Systems-Theoretic Accident Model and Processes (STAMP) which is a relatively new systems-thinking approach to engineering safer systems. The 2nd edition of the International Seminar on Safety and Security of Autonomous Vessels (ISSAV) and the 7th edition of the European STAMP Workshop and Conference (ESWC) took place 17-20 September 2019 in Helsinki, Finland. Scope – ISSAV Autonomous vessels have become a topic of high interest for the maritime transport industry. Recent progress in the development of technologies enabling autonomous systems has fostered the idea that autonomous vessels will soon be a reality. However, before the first autonomous vessel can be released into her actual context of operation, it is necessary to ensure that it is safe and secure. The aim of ISSAV is to promote all aspects of maritime safety and security in the context of autonomous vessels. The seminar focuses on exchanging knowledge about key safety and security challenges and opportunities in the context of autonomous vessels and the autonomous maritime ecosystem. The seminar has a special emphasis on: 1. The challenges in managing safety and security in the operation of autonomous vessels and the entire ecosystem of an autonomous maritime system 2. Innovative approaches for managing the safety of autonomous vessels, supporting the design, operations and managerial strategies for ensuring the safety in the functioning of the autonomous maritime system. 3. Digitalization as technological enabler for efficient safety and security assurance in the context of autonomous shipping. 4. Discussion and research on how to standardize safety approaches for autonomous vessels. 5. The development of intelligent security strategies for establishing resilient and robust systems for autonomous vessels 6. Safety and security integration in the operative context of autonomous maritime systems 7. Safety aspects of autonomous shipping in extreme environments Scope – ESWC Traditional system safety approaches are being challenged by the introduction of new technology and the increasing complexity of the systems we design, manufacture and operate. STAMP and its associated tools deal with the complexity of systems and provide systematic ways to analyze and assess existing and conceptual systems proactively or detect and illustrate deficiencies revealed through investigations. ESWC brings together researchers and practitioners who apply, or want to get familiar with, STAMP that is widely used in different sectors such as space, aviation, healthcare, defense, nuclear, railways, infrastructure and automotive. The conference covers the following topics: 1. Experiences using STPA, STPA-Sec, and CAST 2. Introducing STAMP, STPA, and CAST into large organizations 3. Safety-guided and Security-guided design using STPA and STPA-Sec 4. Using STPA to make decisions
Conference Paper
Full-text available
In material handling and logistics, there’s a trend towards increasingly adaptable and flexible approaches on all system levels: from the supply chain and logistic network level down to the factory and warehouse floors. Recent examples of increasingly flexible material handling technologies on the floor level are autonomously navigating automated guided vehicles (AGVs) and plug-and-work material handling systems, the first allowing adaptable material flow systems with minimal fixed infrastructure, the latter allowing the user to easily re-configure steady conveyor systems on demand. In the field of safety engineering, there has recently beenresearch towards safety assurance of open adaptive systems (OAS) with frameworks such as runtime certification as potential enabler for these novel systems. In this work, we seek to combine recent concepts from the safety engineering community with traditional and advanced technologies from the area of material handling machinery to enable the next step in operational flexibility in this application area. We suggest potential application use cases which would be enabled by the use of dynamic safety contracts: safely cooperating material handling machinery. Compared to machinery with traditional, fixed interfaces, the machine-to-machine cooperation will increase the complexityofthe requiredsafety-related control systems and software, which will in turn require new approaches for the risk assessment and safety engineering of these types of systems.We suggest the use of STPA for safety-driven design of cooperative material handlingmachinery. We discuss one novel application concept, AGV-Storage crane cooperative handover,in detailand present initial results of STPA analysis for the application.
Conference Paper
Full-text available
Cruise ship industry is rapidly developing, with both the vessels size and number constantly growing up, which renders ensuring passengers, crew and ship safety a paramount necessity. Collision, grounding and fire are among the most frequent accidents on cruise ships with high consequences. In this study, a hazard analysis of diesel-electric and hybrid-electric propulsion system is undertaken using System-Theoretic Process Analysis (STPA). The results demonstrate significant increase in potential hazardous scenarios due to failures in automation and control systems, leading to fire and a higher number of scenarios leading to propulsion and power loss in hybrid-electric propulsion systems than on a conventional cruise-ship propulsion system. Results also demonstrate that STPA enhancement is required to compare the risk of two propulsion systems.
Full-text available
As Cyber-Physical Systems (CPSs) are a class of systems advancing in a number of safety critical application areas, it is crucial to ensure that they operate without causing any harm to people, environment and assets. The complexity of CPSs though, render them vulnerable and accident-prone. In this study, the sources of complexity are meticulously examined and the state-of-the-art and novel methods that are used for the safety assurance of CPSs are reviewed. Furthermore, the identified safety assurance methods are assessed for their compatibility with the technical processes during the system design phase and the methods effectiveness on addressing the different CPSs sources of complexity is investigated. Advantages and disadvantages of the different safety assurance methods are also presented. Based on the results of this review, directions for the safety enhancement of CPSs and topics for future research in the area of CPSs safety are provided.
Full-text available
Lessons from maritime accidents are conventionally used to inform safety improvements in design and operation of ships. However, this process is only as good as the core understanding derived from accident analysis is. The current explanation of accidents is limited to direct and contributing causal factors, whereas the role of a wider socio-technical context that has given rise to causal mechanisms behind major maritime accidents in recent years is left unexplained. The paper describes analysis results of maritime incidents and accidents occurred over the last decade with passenger ships, with the purpose to illuminate the prevailing causal factors, not least the systemic ones. The results show where the weak links in maritime safety control are (e.g., interactions between ship operators and equipment manufacturers), what their role in accident causation is, and how they can be strengthened. The study seeks to provide valuable input for enhancements in overall maritime safety control and proactive safety management at the ship and shipping company levels.
Conference Paper
Full-text available
Diesel-Electric Propulsion (DEP) has been widely used for propulsion of LNG carriers, icebreakers, drilling units, warships and cruise ships. It is important that every blackout is prevented, especially on cruise ships, considering the possible consequences of such an event. In this work, hazard analysis of a simplified DEP system of a cruise ship is implemented to identify the hazardous scenarios leading to a blackout. This is achieved by combining System-Theoretic Process Analysis (STPA) and Event Tree Analysis (ETA). The STPA is used to identify the hazards and the possible control actions leading to hazards along with their causal factors, whilst the ETA is used to determine the propagation of hazards into the other hazards or accident. Next, the results of STPA and ETA are mapped into a Fault Tree for better representation of results. In this way, the relationship between accident, hazards and unsafe control actions is explicitly described and a more comprehensive picture of the potential accidental scenarios in the system is provided, rendering possible allocation of quantitative performance requirements as per IEC 61508.
Full-text available
As our society becomes more and more dependent on IT systems, failures of these systems can harm more and more people and organizations. Diligently performing risk and hazard analysis helps to minimize the potential harm of IT system failures on the society and increases the probability of their undisturbed operation. Risk and hazard analysis is an important activity for the development and operation of critical software intensive systems, but the increased complexity and size puts additional requirements on the effectiveness of risk and hazard analysis methods. This paper presents a qualitative comparison of two hazard analysis methods, failure mode and effect analysis (FMEA) and system theoretic process analysis (STPA), using case study research methodology. Both methods have been applied on the same forward collision avoidance system to compare the effectiveness of the methods and to investigate what are the main differences between them. Furthermore, this study also evaluates the analysis process of both methods by using a qualitative criteria derived from the technology acceptance model (TAM). The results of the FMEA analysis were compared to the results of the STPA analysis, which were presented in a previous study. Both analyses were conducted on the same forward collision avoidance system. The comparison shows that FMEA and STPA deliver similar analysis results.
Full-text available
The recent trend to design more efficient and versatile ships has increased the variety in hybrid propulsion and power supply architectures. In order to improve performance with these architectures, intelligent control strategies are required, while mostly conventional control strategies are applied currently. First, this paper classifies ship propulsion topologies into mechanical, electrical and hybrid propulsion, and power supply topologies into combustion, electrochemical, stored and hybrid power supply. Then, we review developments in propulsion and power supply systems and their control strategies, to subsequently discuss opportunities and challenges for these systems and the associated control. We conclude that hybrid architectures with advanced control strategies can reduce fuel consumption and emissions up to 10–35%, while improving noise, maintainability, manoeuvrability and comfort. Subsequently, the paper summarises the benefits and drawbacks, and trends in application of propulsion and power supply technologies, and it reviews the applicability and benefits of promising advanced control strategies. Finally, the paper analyses which control strategies can improve performance of hybrid systems for future smart and autonomous ships and concludes that a combination of torque, angle of attack, and Model Predictive Control with dynamic settings could improve performance of future smart and more autonomous ships.
Full-text available
Technological innovations and new areas of application introduce new challenges related to safety and control of risk in the maritime industry. Dynamically positioned systems are increasingly used, contributing to a higher level of autonomy and complexity aboard maritime vessels. Currently, risk assessment and verification of dynamically positioned systems are focused on technical reliability, and the main effort is centered on design and demonstration of redundancy in order to protect against component failures. In this article, we argue that factors, such as software-requirement errors, human errors, including unsafe or too late decision-making, and inadequate coordination between decision makers, also should be considered in the risk assessments. Hence, we investigate the feasibility of using a systems approach to analyzing risk in dynamically positioned systems and present an adapted version of the system-theoretic process analysis. A case study where the system-theoretic process analysis is applied to a dynamically positioned system is conducted to assess whether this method significantly expands the current view on safety of dynamically positioned systems. The results indicate that the reliability-centered approaches, such as the failure mode and effect analysis, sea trials, and hardware-in-the-loop testing, are insufficient and that their view on safety is too narrow. This article shows that safety constraints can be violated in a number of manners other than component failures for dynamically positioned systems, and hence, system-theoretic process analysis complements the currently applied methods.
Full-text available
Quantitative risk analysis (QRA) is widely applied in several industries as a tool to improve safety, as part of design, licensing or operational processes. Nevertheless, there is much less academic research on the validity and validation of QRA, despite their importance both for the science of risk analysis and with respect to its practical implication for decision-making and improving system safety. In light of this, this paper presents a review focusing on the validity and validation of QRA in a safety context. Theoretical, methodological and empirical contributions in the scientific literature are reviewed, focusing on three questions. Which theoretical views on validity and validation of QRA can be found? Which features of QRA are useful to validate a particular QRA, and which frameworks are proposed to this effect? What kinds of claims are made about QRA, and what evidence is available for QRA being valid for the stated purposes? A discussion follows the review, focusing on the available evidence for the validity of QRA and the effectiveness of validation methods.
The paper introduces a new decision-making process which is used to compare the performance of a ship with either diesel electric hybrid propulsion or conventional propulsion systems. A case study was carried out to compare the performance of both propulsions from cost, environmental and risk perspectives. This paper also overviews the modern approaches of multi-criteria decision-making and highlights some of their shortcomings in particular the fact that these approaches often rely on different criteria such as financial, environmental or risk. This paper aims to overcome this shortcoming by enhancing the process of multi-criteria decision analysis. The key process in this research was to convert all incomparable values into monetary values, thereby enabling the impacts of each criterion to be compared and integrated in a straightforward manner. Results of the case study showed that the use of a hybrid propulsion system could reduce annual operational costs by $ 300,000 (2% total cost) compared with a diesel electric system and almost $ 1 million (7%) compared to a diesel mechanical propulsion system. In order to investigate the optimal use of the hybrid propulsion system, various operational scenarios were identified and applied to the proposed decision-making process. The results showed that operating the ship in hybrid mode during manoeuvring and berthing is more desirable as the holistic cost can reduce in almost $ 1 million. The advantages of the proposed decision making process was illustrated by comparing the results obtained from a conventional decision-making process using the analytical hierarchical method. It is believed that the research findings not only present general understanding of the possible advantages of hybrid propulsion for stakeholders, but provide them with an insight into the enhanced approach into the multi-criteria decision analysis.